OArepo Enrollment library for record metadata validation
Project description
oarepo-enrollment-permissions
Work in progress, do not use yet
OArepo Enrollment Permissions library is a bridge between oarepo-enrollment library and invenio records. It provides means to assign user permission to perform actions upon a record (list, update, delete, custom actions).
Installation
pip install oarepo-enrollment-permissions
Usage
- In your rest configuration, set
search_classclass either tooarepo_enrollment_permissions.RecordsSearchor to a class inheriting fromoarepo_enrollment_permissions.RecordsSearchMixin. - If your
read_permission_factory_impis notcheck_elasticsearch, be sure to include the result ofoarepo_enrollment_permissions.read_permission_factoryin your permission factory - see below for details). - Use
oarepo_enrollment_permissions.update_permission_factoryas your update permission factory (or call if from your own permission factory - see below for details). - Use
oarepo_enrollment_permissions.delete_permission_factoryas your delete permission factory (or call if from your own permission factory - see below for details). - Use
oarepo_enrollment_permissions.create_permission_factoryas your create permission factory (or call if from your own permission factory - see below for details).
Now you are all set, no one has an access until granted.
Granting access
Access is granted via enrollment process. The following enrollment types are available:
Collection
Gives rights to manipulate with a collection. A collection is defined as records with the same values at a given json pointer (specified in configuration or passed to the enroll call).
To grant access to a collection on command-line, call:
invenio oarepo:enroll collection <email> <collection key> actions=read,update,delete,create
If you want to perform the same in REST API, call:
{
'enrollment_type': "collection",
'recipient': "someone@example.com",
'external_key': 'test',
'operation': 'read'
// either comma separated or an array
}
Single record
You can grant rights to a single record as well. To do that, invoke:
invenio oarepo:enroll record <email> <record_uuid> actions=read,update,delete
Again, the same can be achieved via API:
{
'enrollment_type': "record",
'recipient': "someone@example.com",
'external_key': '1234-...-1234',
'operation': 'read'
// either comma separated or an array
}
Listing and Revoking access
See oarepo-enrollment for help with these.
Customizing search/listing permissions
The provided search class (or mixin) behaves a bit differently than the default invenio RecordsSearch. For anonymous users, the default behaviour is to return empty collection. For authenticated users, enrollments are inspected and are used to filter the records.
This process can be customized via:
from oarepo_enrollment_permissions import RecordsSearch
class MyRecordsSearch(RecordsSearch):
class Meta:
# put customizations in here
pass
Anonymous user
If anonymous user should get access to all/some records, specify default_anonymous_filter
property on Meta class.
This property can be either elasticsearch query (Q, Bool) or it might be a function with a signature
default_anonymous_filter(search=<RecordsSearch>, **kwargs) -> Union[Q, Bool]. The result of the function is passed
to the default elasticsearch filter.
Authenticated user
On Meta class, invenio supports passing default_filter. For convenience reasons this library
adds default_filter_factory(search=<RecordsSearch>, **kwargs) -> Union[Q, Bool] that takes precedence if used.
At first the library looks at all successful enrollments of the user whose handler contains
get_elasticsearch_filter class method. Then these handlers are called (with the enrollments as parameters) to get
filtering query.
There might be a default_filter defined on the search. If it is, the queries from handlers are combined with the
default filter depending on the value of default_filter_mode Meta property:
or(the default value) - user is granted access if eitherdefault_filteror at least one of handler filters matchand- user is granted access ifdefault_filterand at least one of handler filters match.
If there is no default_filter used, user is granted access to the record if at least one of handler filters match.
API
Implementing custom permission-enabled enrollment handler
To implement a custom permission-enabled handler, add the following methods:
from oarepo_enrollments import EnrollmentHandler
from invenio_accounts.models import User
from elasticsearch_dsl import Q
class MyCollectionAccess(EnrollmentHandler):
def enroll(self, user: User, role=None, **kwargs) -> None:
# no handling required for collections
pass
def revoke(self, user: User, role=None, **kwargs) -> None:
# no handling required for collections
pass
def get_elasticsearch_filter(self, search=None, queryset=None, **kwargs):
collections = []
for enrollment in queryset:
collection = enrollment.extra_data.get('collection')
if collection:
collections.append(collection)
if collections:
return Q('terms', collections=collections)
return None
def post_filter_elasticsearch_result(self, search=None, result=None, **kwargs):
# can be used to hide metadata from results
pass
Configuration
Collection permissions configuration
To use builtin collection permissions, you have to specify the path or query for filtering collections. There are two ways of doing that - global and per-search.
Global configuration
In your config file, set:
OAREPO_ENROLLMENT_PERMISSIONS_COLLECTION_FILTER = 'collection'
This can be either path in the document that will be placed to Q('terms', <path> = [allowed collections])
or it might be a callable (search=None, collections=None, **) that should return either elasticsearch Q
or Bool.
Local configuration
Alternatively, define the path/callable on Meta:
from oarepo_enrollment_permissions import RecordsSearch
from elasticsearch_dsl import Q
class MyRecordsSearch(RecordsSearch):
class Meta:
permissions_collection_filter = 'collections'
# or
@classmethod
def permissions_collection_filter(cls, search=None, collections=None, **kwargs):
return Q('terms', collection__key=collections)
Record permissions configuration
Normally there is no need to override record configuration.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
File details
Details for the file oarepo-enrollment-permissions-1.0.0.tar.gz.
File metadata
- Download URL: oarepo-enrollment-permissions-1.0.0.tar.gz
- Upload date:
- Size: 12.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.8.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | ab95f769f3446573e34cc1688dc36a6558f3c82e6ad6d51d30b212b4954b4a2e |
|
| MD5 | 31960bbd8df3d0e3b97b8e932e22be1f |
|
| BLAKE2b-256 | 3221a7feb7efece144b401d02becf347591d53322e6bda7c643ff48daea655d0 |
File details
Details for the file oarepo_enrollment_permissions-1.0.0-py2.py3-none-any.whl.
File metadata
- Download URL: oarepo_enrollment_permissions-1.0.0-py2.py3-none-any.whl
- Upload date:
- Size: 18.6 kB
- Tags: Python 2, Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/3.2.0 pkginfo/1.6.1 requests/2.25.0 setuptools/50.3.2 requests-toolbelt/0.9.1 tqdm/4.54.1 CPython/3.8.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 393788b55c5ca18ab93e8eb092544e180ee9930effb83e98d6b184586060c24b |
|
| MD5 | 1861f312f80aa78d94a98915ca9d5880 |
|
| BLAKE2b-256 | e18db13e3a55340ab36be8bc96b1d75375282b44fdafb72e6b3f79526035c0bf |
